Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Researchers Find New Twists In ‘Olympic Destroyer’ Malware

Researchers now believe attackers may have had prior access to networks and that malware was more sophisticated than originally believed.

Researchers have uncovered new wrinkles in the “Olympic Destroyer” malware attack that targeted the Winter Olympics in Pyeongchang, South Korea.

Cisco Talos researchers now believe the malware also wipes files on shared network drives. Originally researchers believed the malware only targeted single endpoints. Researchers also now believe the credentials-stealing component of the malware is more dynamic than originally thought.

Olympic Destroyer was deployed during the games’ opening ceremony on Feb. 9, and is blamed for disrupting TV broadcasts of the event and taking down the official Winter Games website. The results of the attack were far reaching and left attendees unable to print tickets and brought down the WiFi network made available for journalist covering the opening ceremonies.

Researchers at Cisco’s Talos unit said the sole purpose of the attack was to take down systems and not to steal information.

Olympic Destroyer’s goal is to make systems unusable by “deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment,” in similar fashion to the Bad Rabbit and Nyeyta ransomwares, Cisco Talos initially wrote.

Olympic Destroyer includes a binary that targets machines with a pair of “stealing modules.” One grabs any user credentials embedded in the Internet Explorer, Firefox and Chrome browsers, and the other plucks them from Windows’ Local Security Authority Subsystem Service, the Windows process that handles security policies. “The malware parses the registry and it queries the sqlite file in order to retrieve stored credentials,” Talos said.

In a tweet, Talos researcher Craig Williams, noted its analysis of attacks also suggest a “prior compromise” of targeted Olympic Games systems. “Our post has been update to include the impact on network shares – Shocker – they are effectively wiped: Olympic Destroyer Takes Aim At Winter Olympics with indications of prior compromise,” he wrote.

When researchers took a closer look at Olympic Destroyer binaries associated with the attack, they discovered that new credentials were added to the code with each infection.

“A new version of the binary is generated with the newly discovered credentials,” Talos wrote in an update first noted by BleepingComputer. “This new binary will be used on the new infected systems via the propagation. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems.”

However, the method by which the malware was delivered remains unknown, Talos added: “If the attacker already had access to the environment, this attack could have been carried out remotely. This would allow the actors to specifically pinpoint the moment of the opening ceremony and would allow them to control their time of impact.”

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony,” the report stated.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.